The concept of certificates was something i thought i was “iffy” about. Meaning-> I’d a fair idea what it was but i wouldn’t dare explain it to anyone. You know the feeling right?! So i sat today and looked through some articles about Certificates. And here are my findings.
The magic question : What are certificates?
The not so magical answer : They are ways of identifying people, devices, websites or institutions.
So we know that certificates are used to verify if the other party are who they claim they are. CA’s are the dudes who act as the “verification reference”. Ok here’s an example. If A wants to talk to B but is not sure if the person responding to his questions are actually B, it asks for some proof. B provides a certificate issued by X ( a person that both A and B trust ). Once A gets this certificate and if the certificate is verified to be issued by X, A starts trusting B. So X here is a Certificate Authority ( because he has the authority to issue certificates ). If this clear lets dive in .
The certificate uses public-key encryption technique. To be specific RSA. I’m assuming that you know PKI is. This comes into play in two places.
1) For A to verify that B is producing a certificate assigned to it by X ( who is trusted by A ), X signs the certificate sent to B with the private-key of X. As soon as A gets the certificate , it decrypts it by using X’s public key. If this decryption is successful, A now knows that X created this certificate and assigned it to B. This is because the public-key can only Decrypt data signed by it’s sister Private-key. The private-key is only and Only known by the person it is created for ( X in this case ). So by decrypting the certificate using X’s public key, A confirms that it was encrypted using X’s private key.
2) Now A has authenticated that the certificate is genuine. In order to start communications with B over a insecure network, it has to encrypt the data. The encryption of data must be done by using B’s public key. This is to ensure that upon receiving the encrypted messages from A, B can decrypt it using B’s Private key. This ensures that data confidentiality is achieved. So you might get the question( if you are understand all of this ) , where the F*** does A get the public key of B from? Answer, B’s certificate. Yes, the public key of B is one of the fields in the certificate that B sends over to A .
Ok, to end the introduction, we can now say that the following things happen
- B creates it’s public and private key-pair and sends the public key over the the CA ( X ).
- It begs the CA to issue it a certificate ( ok, beg’s a little too dramatic! )
- CA verifies that B is who he says he is and issues the certificate to B.
- One of the payloads in the certificate is B’s public-key.
- This certificate is signed by X’s private-key for verification of X.
If this is all an overload, re-read. Next article we go into X.509 certificates and their fields….
